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(54) Method amd apparatus for delivering documents over an electronic network 



(57) A method and apparatus are provided for 
securely delivering documents over an electronic net- 
work (18) while preserving document formatting. The 
invention also provides security that restricts access to 
the system to an authorized user. A document is sent 
from a sending computer (14) to a dedicated server 
(22), using a send client application (20). A dedicated 
server (22) stores the document (16) and forwards an 
electronic notification to a receiving device (24,26,28). 
The stored document is downloaded from the dedicated 



server (22), using a receive client application (30), in 
response to the notification. The receive client applica- 
tion (30) permits the recipient to receive, view, print, 
and/or manipulate the document. A sender driven certif- 
icate enrollment system (1342) and methods of its use 
are also provided, in which a sender (1352) controls the 
generation of a digital certificate (1345) that is used to 
encrypt and send a document to a recipient (1370) in a 
secure manner. 
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Secret key encryption, sometimes referred to as sym- 
metric key cryptography, employs a technique of scram- 
bling information to prevent unsolicited access, using a 
unique, secret key 1214. 

[0016] Figure 2 is a block diagram of secret key 
decryption 1210b, wherein the same, unique secret key 
1214 is required to unscramble 1 222 the encrypted doc- 
ument 1220, to reproduce a copy of the original docu- 
ment 1212. Without access to the secret key 1214, an 
encrypted document 1220 remains secure from tamper- 
ing. 

[0017] One potential issue with secret key encryption 
1210a and 1210b is the challenge of distributing the 
secret key 1214 securely. For example, suppose a 
sender uses secret key encryption to encrypt a docu- 
ment 1212, and then sends a recipient the encrypted 
document 1220. The recipient needs the secret key 
1214 to decrypt 1222 the encrypted document 1220. If 
the secret key 1222 is sent over a non-secure channel, 
then the integrity of the security is compromised. For 
most applications, telephone or fax provides a secure 
enough means of delivering secret keys 1214, while the 
encrypted document 1220 can be delivered over the 
internet using the Posta™ document delivery system. In 
some instances, however, senders and recipients 
require a more robust or convenient means of distribut- 
ing a secret key 1214. 

[0018] Public key encryption facilitates a more robust, 
and typically a more convenient means, of delivering 
information securely. With public key encryption, each 
recipient owns a pair of keys, called a public key and a 
private key. The key pair's owner (the recipient) pub- 
lishes the public key, and keeps the private key a secret. 
[001 9] Fig. 3 is a block diagram of public key encryp- 
tion 1230a, wherein a document 1312 is encrypted, or 
scrambled 1234, with a public key 1332, producing an 
encrypted document 1336. To send information to a 
recipient, a sender uses the published public key 1332 
of the intended recipient to encrypt 1234 the informa- 
tion, and then the recipient uses their own private key 
1334 (Fig. 4) to decrypt the information. Hence, the pri- 
vate key 1334 (which is necessary to decrypt the infor- 
mation) is not distributed. Fig. 4 is a block diagram of 
private key decryption 1230b, wherein the private key 
1 334 is required to unscramble 1 238 the encrypted doc- 
ument 1336, to reproduce a copy of the original docu- 
ment 1312. Without access to the private key 1334, an 
encrypted document 1336 remains secure from tamper- 
ing. 

[0020] Public key encryption 1230a and 1230b typi- 
cally exploits a mathematical relationship between the 
public and private keys 1332, 1334, which allows a pub- 
lic key 1332 to be published, without risking the deriva- 
tion of the private key 1334 from the published public 
key 1332. 

[0021] Public key encryption algorithms are typically 
complex, and hence may be too time consuming to be 
of practical use for many users. Secret key encryption 



1210a, 1210b is typically much faster than public key 
encryption 1230a, 1230b, but requires the transmission 
the secret key 1214 from the sender to the recipient. 
[0022] In a digital envelope system, a user encrypts a 

5 document 1212 with a secret key 1214, and then 
encrypts the secret key 1 214 with the public key 1332 of 
the intended recipient. The recipient of the encrypted 
document 1220 then uses their private key 1240 to 
decrypt the secret key 1214, and then uses the secret 

w key 1 21 4 to decrypt the document. 

[0023] It is often useful to verify if a document has not 
been altered during transmission, or to verify who sent 
or received a given document. Hashing algorithms (or 
message digests) and public key technologies facilitate 

75 solutions to document integrity and transport verifica- 
tion. 

[0024] Digital certificates can also be used to provide 
enhanced security for encrypted information. Suppose 
a recipient owns a public/private key pair and wishes to 

20 publish the public key 1332 so others can use the public 
key 1332, either to encrypt information to be sent to the 
recipient, or to verify the digital signature of the recipi- 
ent. A secure technique for the recipient to publish the 
public key 1332 is to register the public key 1332 with a 

25 trusted authority. The trusted authority can then certify 
that a particular public key 1332 belongs to the recipi- 
ent. A digital certificate connects a recipient, or other 
entity, with a particular public key 1332. 
[0025] A digital certificate, as disclosed later, is a 

30 record of a public key and an identity, and the associa- 
tion of the two as attested to by a third party by means 
of a digital signature. The private key is not in the certif- 
icate, but only one private key can match a given public 
key. A public/private key pair is actually a pair of num- 

55 bers with the following properties. 

The private key cannot be derived easily from the 
public key; and 

40 • The public key can be used to cipher data which 
can only be deciphered by knowing the private key 
(some public keys algorithms, such as RSA, also 
have the inverse property, which makes them suita- 
ble for use a digital signatures). 

45 

[0026] A trusted or certificate authority issues and 
maintains digital certificates. 

[0027] The disclosed prior art systems and methodol- 
ogies thus provide some methods for the encryption 

so and secure delivery of documents, but fail to provide a 
simple digital certificate generation and enrollment sys- 
tem that is implemented and controlled by a sender. The 
development of such a digital certificate system would 
constitute a major technological advance. 

55 [0028] It is therefore the object of the present invention 
to provide an apparatus for managing and delivering 
documents, which overcomes the drawbacks of the 
prior art. This object is solved by the apparatus for man- 
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tional commands. 

[0040] The invention also provides a security frame- 
work that restricts system access to an authorized user. 
The types of security supported include authentication 
layers, secure socket layers, password protection, pri- 
vate key encryption, public key encryption, and certifi- 
cate authentication. The security framework can be 
implemented as one or more modules, and can be 
incorporated into at least one of the send client applica- 
tion, the receive client application , and the CUI. 
[0041] A sender driven certificate enrollment system 
and methods of its use are provided, in which a sender 
controls the generation of a digital certificate, which can 
be used to encrypt and send a document to a recipient 
in a secure manner. The sender compares previously 
stored recipient information to gathered information 
from the recipient. If the information matches, the 
sender transfers key generation software to the recipi- 
ent, which produces the digital certificate, comprising a 
public and private key pair. The sender can then use the 
public key to encrypt and send the document to the 
recipient, wherein the recipient can use the matching 
private key to decrypt the document. In a preferred 
embodiment, a server is interposed between the sender 
and the recipient, to provide increased levels of system 
security, automation, and integrity. 
[0042] The above mentioned and other features of the 
present invention and the invention itself will be under- 
stood by the reference to the following detailed descrip- 
tion of the preferred embodiments of the invention, 
when considered in conjunction with the accompanying 
drawings, in which: 

Fig. 1 is a block diagram of secrei key encryption of 
a document; 

Fig. 2 is a block diagram of secret key decryption of 
a document; 

Fig. 3 is a block diagram of public key encryption of 
a document; 

Fig. 4 is a block diagram of private key decryption of 
a document; 

Fig. 5 is a diagram of a document delivery system 
according to the invention; 

Fig. 6 is a view of an application window according 
to the invention; 

Fig. 7 is a view of an application window showing 
document activities according to the invention; 

Fig. 8 is a view of a package window, according to 
the preferred embodiment of the invention; 

Fig. 9 is a view of a recipient's window according to 



the invention; 

Fig. 10 is a view of a CUI application window 
according to the invention; 

5 

Fig. 1 1 is a view of a CUI package window accord- 
ing to the invention; 

Fig. 12 is a view of a CUI options page according to 
10 the invention; 

Fig. 13 is a view of a CUI tracking search page 
according to the invention; 

75 Fig. 14 is a view of a CUI tracking report prefer- 
ences dialog according to the invention; 

Fig. 15 is a view of a recipient summary tracking 
report in basic format according to the invention; 

20 

Fig. 16 is a view of a recipient detail tracking report 
in Basic Format according to the invention; 

Fig. 1 7 is a view of a recipient detail tracking report 
25 in billing code format according to the invention; 

Fig. 18 is a view of a group account manager 
account - view members window according to the 
invention; 

30 

Fig. 19 is a view of a billing codes window accord- 
ing to the invention; 

Fig. 20 is a view of an edit billing codes dialog 
35 according to the invention; 

Fig. 21 is a view of an add billing codes dialog 
according to the invention; 

40 Fig. 22 is a view of a create invoice page, according 
to the invention; 

Fig. 23 is a view of a basic invoice report window 
according to the invention; 

45 

Fig. 24 is a view of a billing preferences dialog 
according to the invention; 

Fig. 25 is a view of an invoice report in spec invoice 
so format according to the invention; 

Fig. 26 is a view of an invoice report in billing code 
invoice format according to the invention; 

55 Fig. 27 is a view of a mail list page according to the 
invention; 

Fig. 28 is a view of a mail list detail page according 
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the intended recipient can copy the URL directly from 
the notification message, and paste it into a Web 
browser on the receiving computer. The Web browser 
then retrieves the document from the dedicated server 
In alternative embodiments of the invention, the receive 
client application is any other software application capa- 
ble of retrieving the stored document from the dedicated 
server while maintaining document formatting. 
[0051] The send client application is readily installed 
on a computer from a CD-ROM, or by downloading from 
the Web. For example, a user who already has an 
account with a dedicated server provider can configure 
the send client application with the appropriate account 
information. A user who does not have such an account 
is directed to a URL that has the information for setting 
up an account. 

[0052] The send client application is accessed via an 
application window displayed on the sending compu- 
ter's desktop. The application window is displayed once 
the account information is properly configured. Fig. 6 is 
a view of an application window 32 according to the pre- 
ferred embodiment of the invention. 
[0053] The main function of the application window is 
to view the status of, and to manage send client applica- 
tion activity. The application window also serves as a 
launching pad to reach the various functions of the send 
client application and the configuration user interface 
CUI (discussed below). 

[0054] In the preferred embodiment of the invention, 
the application window displays a main tool bar 34 for 
accessing main functions of the send client application. 
One such function is the selectable button for new pack- 
age 36. Clicking on new package opens a new package 
window (discussed below), which allows a user to initi- 
ate a delivery of a document. Clicking on the open but- 
ton 38 opens either a saved delivery parameter or a 
saved package window (discussed below). 
[0055] In the preferred embodiment, the main tool bar 
34 includes buttons that are Internet shortcuts to CUI 
functions. Clicking on such button launches the user's 
Web browser and displays the appropriate page in the 
CUI. In the preferred embodiment of the invention, no 
additional login is required in this process. Examples of 
such buttons include tracking 40, account 42, billing 44, 
and mail lists 46 buttons. 

[0056] Buttons may also be provided for send client 
application settings. For example, a preferences dialog 
accessed via a setup button 48 permits the user to 
specify dedicated server and proxy server account infor- 
mation. The user can also specify whether or not to use 
a low-level secure communications protocol, such as 
Secure Socket Layer (SSL) to secure the connection 
between the desktop and the dedicated server for all 
transmissions. 

[0057] The send client application can access the 
local address books of supported applications. In the 
preferred embodiment of the invention, the user selects 
the setup button 48 and is presented with a pull-down 



menu which lists the address books supported by the 
invention. The user then selects the desired address 
book file. 

[0058] A stop button 50 is used to stop transmission 
5 of all information to the dedicated server. In the pre- 
ferred embodiment of the invention, once clicked, the 
stop button remains depressed. To resume transmis- 
sion, the user clicks on the button again, and it returns 
to a raised position. 
10 [0059] The menu 52 lists operational commands for 
the send client application. In the preferred embodiment 
of the invention, the file menu 54 contains commands 
that have the same functionalities as buttons on the 
main tool bar 34. Other commands provide information 
75 regarding the send client application, or are Internet 
shortcuts to functions of the CUI. In Fig. 6, the menu 
includes listings for edit 56, package 58, CUI 60, and 
help 62. 

[0060] The application window also displays a pack- 
20 age manager 64 that lists all document activities initi- 
ated during an application session. The package 
manager is an area, or set of fields in the body of the 
application window which lists all document activities 
that have been initiated during a send client application 
25 session. When the send client application is first 
launched, the package manager field is empty. How- 
ever, as documents are sent, they are listed in the pack- 
age manager. 

[0061] Fig. 7 is a view of an application window 32 

30 showing document activities 72 according to the pre- 
ferred embodiment of the invention. The package man- 
ager may display the recipient(s) 66, the subject 68, and 
the status 70 of the delivery. The status of an active 
delivery may be represented as a dynamic percentage 

35 of upload completed. Other possible status labels 
include "completed," "error," "pending," and "on hold." 
[0062] Documents may be listed, for example, in 
processing, or reverse processing orders. In the pre- 
ferred embodiment of the invention, the document cur- 

40 rently being processed 74 is presented in bold 
characters. In alternate embodiments, the current docu- 
ment is indicated by other means, including highlighting, 
flashing, or color, or is unmarked. 
[0063] Clicking on a listed document 76 highlights that 

45 listing and selects the document. Multiple documents 
may be selected at one time. Once a document is 
selected, the user can use the menu 52, for example, to 
hold, edit, or delete the document. 
[0064] A hold prevents a pending document from 

50 being processed. The document is held in a queue until 
it is deleted or the hold is removed. In the preferred 
embodiment of the invention, any or all documents in 
the list can be deleted. A current send is completely 
aborted, and an already-processed document is 

55 deleted from the window. 

[0065] Editing opens a document within a new pack- 
age window (discussed below). The user can then edit 
the document and resubmit it for sending. If a document 
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saved package window may then be re-opened for 
future use. 

[0082] Saved delivery parameters can be used on a 
recurring basis across sessions. From a package win- 
dow, a user can save delivery parameters including 
specified send options, an address list, and/or a fixed 
subject or message. To save delivery parameters, a 
user clicks on the save parameters button 96. A dialog 
box prompts the user to specify a name and location for 
the delivery parameters to be saved. 
[0083] If the saved delivery parameters contain an 
address list, the user can initiate a delivery by clicking 
and dragging a document icon onto the saved delivery 
parameter icon. The document provides the remaining 
information required for a delivery, and the send is initi- 
ated automatically. The saved delivery parameter thus 
serves as a dedicated mail chute to a specific set of 
recipients. 

[0084] The existing send options may be modified or 
confirmed before launching the delivery. A window dis- 
playing all send parameters is opened, and the user can 
modify parameters or append a message before send- 
ing the document. In the preferred embodiment of the 
invention, the user is prompted to save any modifica- 
tions to send options or existing address lists upon clos- 
ing the package window. 

[0085] If the saved delivery parameters do not include 
an address, clicking and dragging a document onto the 
saved delivery icon opens a package window. The 
saved send options and name of the document are 
specified in the package window. The user must specify 
a recipient before the document can be sent. 
[0086] Saved delivery parameters are opened by 
clicking on the associated icon, or by selecting the 
appropriate main tool bar 34 or menu items. The set- 
tings are displayed in a package window and are com- 
pleted or modified for a delivery. If the send client 
application is not open, opening the saved delivery 
parameters opens the application window as well as a 
package window. Modifications to the saved delivery 
parameters are preserved by replacing the existing 
saved parameters, or by creating a new saved delivery 
parameters file under a different name. 
[0087] If unsaved changes have been made to the 
saved delivery parameters, the user is prompted to save 
the changes upon closing the package window. A 
sender can add an address list to an existing saved 
delivery parameter that did not previously contain an 
address list. The settings of the package window are 
saved using the "save settings as default" button 1 16. 
[0088] Fig. 9 is a view of a recipients window accord- 
ing to the preferred embodiment of the invention. The 
recipients window 118 is used to select the recipient's 
name from an address book or pre-defined mail list. 
[0089] In the preferred embodiment of the invention, a 
pull-down menu 120 allows the user to access 
addresses in a local address book or a mail list. For 
example, selecting mail list in the pull-down menu and 



clicking on the refresh button 122 populates the list box 
124 with the names of the mail lists stored on the dedi- 
cated server for the account for which the send client 
application is configured. Selecting local address book 
5 and clicking on the refresh button populates the list box 
with addresses from the address book specified in the 
preferences dialog. 

[0090] Each time the recipients window is opened, the 
send client application displays a previously cached list 

10 of addresses. Clicking on refresh forces a refresh of the 
list from the appropriate source. The send client appli- 
cation presents the last selected source for the next 
send, both within and across sessions. The cancel but- 
ton 135 cancels the recipients window display. 

75 [0091] A user can select items from the list box 124 
and click the "To" arrow button 126 to specify the selec- 
tions as recipients. In the preferred embodiment of the 
invention, control-click allows selection of multiple items 
and shift-click selects a range of items. Recipients are 

20 presented in the recipients box 128. Recipients listed in 
the recipients box list are selected and removed by 
clicking the delete button 130 or by hitting keyboard 
backspace or delete keys. 

[0092] When the user clicks on the "OK" button 132, 

25 items in the recipients box list are displayed in the "To:" 
field 1 10 of the package window 78 (see Fig. 8). In the 
preferred embodiment of the invention, mail lists have 
the prefix "list:" prepended to them. A user can also 
delete or modify recipient addresses from the "To:" field 

30 of the package window. 

[0093] The specified document delivery parameters 
may be stored in a storage module for later modification 
and/or use. In the preferred embodiment of the inven- 
tion, the send client application and the package win- 

35 dow are accessed by selecting their representative 
icons (not shown) from the sending computer's desktop. 
[0094] A configuration user interface is provided for 
directly invoking and customizing the dedicated server. 
The CUI is accessed via a GUI application window dis- 

40 played on a managing computer desktop. Alternatively, 
the CUI is accessed through any Web browser applica- 
tion that supports tables, or accessed through the send 
client application. Fig. 10 is a view of a CUI application 
window 140 according to the preferred embodiment of 

45 the invention. 

[0095] In the preferred embodiment of the invention, 
the CUI is an HTML interface for invoking and customiz- 
ing the dedicated server via a Web browser. This HTML 
interface includes modules for sending the document, 

so tracking the document, accessing information associ- 
ated with the document delivery account, managing bill- 
ings for the document delivery, and managing mail 
distribution lists. 

[0096] The CUI offers different sets of functions, 
55 depending on the user and type of account used. Indi- 
vidual account holders, group account managers, and 
group members see slightly different interfaces and are 
able to access and manipulate varying sets of data. 
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preferred embodiment of the invention. The preferred 
embodiment of the invention supports security and 
encryption features permitted under current law for use 
in the United States. Alternative embodiments of the 
invention comply with any security and encryption 5 
requirements for software applications intended for 
export from the United States. 
[01 1 3] The CU I user may specify a password 206 that 
a recipient must provide to access a document. The 
user may also specify confirm password 208, encrypt w 
document 210 and require SSL to receive 212. The 
password may be used as a secret key to encrypt the 
document on the server. This provides a higher level of 
security while the document is stored on the server. If 
the encrypt document function 210 is selected but the 15 
user has not specified a password, the GUI transmits an 
error message when the user attempts to apply the set- 
tings. 

[0114] The billing code option 214 allows users to 
select a billing code, including "None" from a pull-down 20 
menu. The list is defined and maintained in the billing 
module of the CUI (see Fig. 19). The "Billing Code" text 
link brings users to the billing section of the CUI. Users 
may thereby view and manipulate billing codes. 
[0115] Clicking on the reset button 216 restores the 25 
default settings. Alternatively, the current settings may 
be saved 218 as the default. Once the options are set, 
the user uses the Update button 220 to return to the 
package window 170. A delivery is then initiated by 
clicking on the send button 188. 30 
[01 1 6] Tracking is accessible from the tracking button 
144 on the persistent main tool bar 154. The tracking 
search function is used to query the CUI database for 
information about deliveries sent from an account. A 
sender can therefore find out whether a recipient has 35 
received a particular document. The database archive 
can also be searched for records of past transactions. 
[0117] Fig. 13 is a view of a CUI tracking search page 
222 according to the preferred embodiment of the 
invention. The secondary navigation from the second- 40 
ary tool bar 156 includes log 224, search 225, report 
226, preferences 228, and help 1 58. The current func- 
tion 192, search 225, is identified. The tracking button 
on the main tool bar displays a record of all deliveries 
sent from the account as a delivery log (not shown). 45 
[0118] Account managers are permitted to track ail 
deliveries initiated from a group account. Group mem- 
bers are permitted to track only those deliveries initiated 
personally by the member. 

[0119] The format of the delivery log is specified in so 
tracking preferences (see Fig. 14). The format chosen 
applies to both the delivery log and the tracking report 
(see Figs. 15-17). The preferred embodiment of the 
invention includes navigation buttons to permit the user 
to access previous, or subsequent log pages. Informa- 55 
tion regarding an individual delivery may be displayed 
on the delivery log, along with an indication of the total 
number of deliveries logged. 



[0120] The subject of each listing in the log links to a 
package detail report (not shown) about the specific 
delivery. A detail report contains send parameters of 
each delivery, including a link to the document if not 
expired, the mimetype, and the message. The detail 
report also contains the status of the delivery to each 
recipient, and the charges applied to the transaction. 
Users can click on log 224 on the secondary tool bar 
156 to return to the top level log. 
[0121] The search function allows users to pinpoint 
information about, and the status of, a specific delivery 
or set of deliveries. The user specifies any combination 
of search criteria to identify the deliveries of interest. If 
multiple criteria are specified, the search engine per- 
forms a logical "AND" search among all the criteria. 
[0122] In the preferred embodiment of the invention, 
the search page graphical user interface (GUI) is simpli- 
fied. A short list 230 of common searchable fields is pre- 
sented on the Search page. The short list contains five 
search criteria: 

[01 23] The "To:" field 232 allows a user to search by 
the intended recipient's full or partial E-mail address of 
the recipient. Partial e-mail addresses allow the user to 
search by domain name. 

[0124] The "From:" field 234 allows an account man- 
ager to search according to the originator of the deliv- 
ery. The account manager selects a member's e-mail 
address from a pull down menu. For group members 
and individual account holders, this given user s e-mail 
is provided and cannot be changed. 
[01 25] The "Subject:" field 236 allows a user to enter 
keywords which may be found in the subject field of a 
document. 

[01 26] The "Document:" field 238 allows a user to per- 
form a text search on the name of the document. A user 
can type in the name of the document, or browse 
through the list of documents to select a document. 
[0127] The "Send date:" field 240 allows a user to 
search for deliveries sent on, before, or after a specific 
date. 

[0128] Clicking on the search button 242 initiates the 
query and returns a report with all deliveries matching 
the query. Clicking on the reset button 246 clears the 
form to its default setting. 

[0129] Clicking on a "More Options..." button 248 at 
the bottom of the short form brings the user to a page 
having a second, expanded list (not shown) of searcha- 
ble fields, including all fields from the short list. In the 
preferred embodiment, the additional fields in the 
expanded list include: 

[0130] The billing code: field allows a user to select 
from a pre-defined list in a pull down menu. 
[0131] The "Delivery status:'' field allows a user to 
select from a menu of delivery statuses. Delivery status 
options include: any, received, not received (includes 
both failed notification and not picked up), confirmed, 
not confirmed, pending notification and failed notifica- 
tion. The user may also search document expiration, 
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existing password and the desired new password, and 
must confirm the new password. The manager submits 
the new password by clicking on Update. 
[0150] In the preferred embodiment, the information 
page also includes a field which informs the manager 
when the password was last changed. If the password 
has never been changed, this field presents the creation 
date of the account. A link may also be provided to a 
server manager who is authorized to make changes to 
accounts. 

[01 51 ] Managers can view a list of members by click- 
ing on the members text link on the Information page, or 
by selecting the view members function of the second- 
ary tool bar 156. Fig. 18 is a view of a group account 
manager account - view members window 288, accord- 
ing to the preferred embodiment of the invention. In one 
embodiment, managers use a link (not shown) to Pref- 
erences (not shown) where the managers can specify 
the format, the number of rows per page, and the sort- 
ing order of the View Members table. 
[0152] The view members page displays the name 
290 of the group account, and the number 292 of the 
members displayed out of the total number. The list of 
members includes the account manager, and is pre- 
sented in a table which lists the member account names 
294, the member names 296, the date created 298, and 
the date last accessed 300. Clicking on a member's 
name brings up a "Mailto:" box (not shown), pre- 
addressed to the member. 

[01 53] Clicking on the account name allows managers 
to view and edit individual member account information. 
This information is displayed on a member account 
information page (not shown) which is similar in format 
to the group account information page. Basic member 
account information includes the following (editable 
information is noted): 

group account 
member account (editable) 
date created 
• date last accessed 

Member information 

[0154] 

member name (editable) 
e-mail address (editable) 

[0155] Managers cannot view the member's pass- 
word, but can change the password on the member 
account information page by specifying a new password 
and confirming it. The date of the last password change 
(not shown) by either manager or member is also dis- 
played. Any changes made to the information on this 
page can be submitted by clicking on update (not 
shown). Reset (not shown) restores the previously 
stored information. 



[0156] Member accounts can be completely deleted 
by clicking on a delete button on the member account 
information page. Prior to deleting the account, the ded- 
icated server posts a confirmation page notifying the 
5 manager of the impending action and requesting confir- 
mation before proceeding. When the member account 
is updated or deleted, an updated view members win- 
dow is displayed. 

[01 57] Managers can add members by clicking on the 
io add member link in the secondary tool bar 156. A form 
(not shown) is displayed prompting the account man- 
ager for the information required to create a member 
account. The form indicates the group account to which 
the member is added, and the number of the member 
15 out of the maximum total members allowed. The infor- 
mation required includes: 

member account name (created by the manger) 
member's name 
20 • member's e-mail address 

password (and confirm password) 

[0158] Clicking on add (not shown) creates a new 
account and returns the manager to an updated view 
25 members window. Clicking on reset (not shown) clears 
the form. 

[0159] Because individual accounts have no group 
members aside from the account holder, such individual 
account holders do not have member information or 

30 functions. The secondary tool bar 156 includes only 
Information (not shown) and help (not shown.) The 
information displayed from the account information 
page is the same as that available from the group 
account information page, except for the number of cur- 

35 rent members. 

[0160] Member account holders also do not have 
member management functions, and the secondary 
tool bar includes only information (not shown) and help 
(not shown). Member account information contains the 

40 same basic information as that viewed by managers. 
However, members are only able to edit e-mail address 
information. 

[0161] In the preferred embodiment, members can 
change their own passwords on the member account 

45 information page. They must enter the current pass- 
word, the new password, and then must confirm the 
new password. However, in alternative embodiments, 
members may only be able to change their passwords 
via the account manager. 

so [01 62] The billing button 1 48 on the main tool bar 1 54 
gives access to billing code mode management and 
invoice functions. Clicking on the billing button displays 
a table 320 of defined billing codes. Fig. 19 is a view of 
a billing codes window 308, according to the preferred 

55 embodiment of the invention. 

[01 63] Secondary navigation for billing on the second- 
ary tool bar 156 includes billing codes 310, add codes 
312, create invoice 314, view Invoice 316, preferences 
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first column is description and the list is sorted by 
description. The user specifies the number of rows dis- 
played 402 per page. 

[0184] The user also specifies the rate 404 to charge 
clients. This rate can be a flat charge 408, or may 
include a percentage mark-up 406 on top of the costs 
charged by the user's Internet services provider. The 
information displayed in the billing preferences dialog 
can be updated 405 or refreshed 407. 
[0185] For the invoice report, the user may select a 
predefined format 410, or define 412 a new format. In 
the preferred embodiment, the user selects from three 
predefined formats the basic invoice, spec invoice, and 
billing code invoice formats. The basic invoice format 
has previously been shown in Fig. 23. 
[0186] Fig. 25 is a view of an Invoice report in spec 
invoice format according to the preferred embodiment of 
the invention. The spec invoice 414 displays the total 
number 41 6 of recipients for each delivery as well as the 
size 418 of the document. This information is sorted 
chronologically. 

[0187] Fig. 26 is a view of an invoice report in billing 
code invoice format according to the preferred embodi- 
ment of the invention. The billing code invoice format 
420 is sorted by billing code 422, as well as by date. 
[0188] The CUI allows publishers and other users to 
create and manage distribution lists. Fig. 27 is a view of 
a mail list page 424 according to the preferred embodi- 
ment of the invention. Mail list functions are accessible 
from the main tool bar 154. Secondary navigation 
includes mail list 426, create list 428, preferences 530 
and help 158. 

[0189] There are two levels of mail lists for group 
accounts, i.e. group and personal. Group lists are man- 
aged by the account manager and are accessible to all 
group members. A group member can define a personal 
list accessible only by that group member. Each mem- 
ber can specify which set of lists to use in their mail list 
preferences. 

[0190] Clicking on the mail list button 1 50 on the main 
tool bar 1 54 displays a table 432 listing existing mail lists 
434. The table also presents the total number 436 of 
recipients on each mail list and the date 438 the mail list 
was most recently modified. The preferences settings 
440 are also displayed. 

[0191] In mail list preferences (not shown), the user 
specifies whether to sort the items by the name of the 
mail list or by date. Current preferences are displayed in 
the mail lists dialog. Next and previous buttons (not 
shown) may be provided to navigate between pages of 
mail lists. 

[0192] Clicking on the hot-linked name 442 of a mail 
list brings up a mail list detail for the selected mail list. 
Fig. 28 is a view of a mail list detail window 444, accord- 
ing to the preferred embodiment of the invention. 
[0193] The mail list detail page displays general infor- 
mation about an existing mail list and allows the user to 
view and manage mail list addresses. Group members 



cannot manipulate group mail lists. Therefore, the mail 
list detail of group lists does not display fields for editing. 
Group members can, however, edit personal mail lists. 
[01 94] Account Managers can manipulate group mail 

s lists. The detail 444 presented to account managers dis- 
plays the name 446 of the mail list in an editable form. 
To rename the list, the user changes the name in the 
form and clicks on the update button 448. Users may 
also delete 450 the entire mail list or add addresses 452 

io by clicking on the appropriate button. The total recipi- 
ents 454 and date last modified 456 are also displayed. 
[01 95] The detail also displays the mail list addresses 
458. In the preferred embodiment of the invention, the 
first page of the complete address list is displayed in 

is accordance with the number of rows per page specified 
in the mail list preferences. The detail indicates which 
addresses out of the total are displayed. Next and previ- 
ous links (not shown) may be provided to navigate 
between multiple pages of addresses. 

so [0196] The user can also view a select set of 
addresses by specifying a query in the field 460 pro- 
vided. For example, an e-mail address or a portion of an 
address such as a domain name can be specified. 
Clicking on the view button 462 then displays a table 

25 464 of matching addresses 458. The table indicates 
which addresses 466 out of the total matching set of 
addresses are displayed. 

[0197] The user edits or deletes individual addresses 
in the table by clicking on the appropriate address. An 
30 edit page (not shown) with update and delete buttons is 
then displayed. When the address is updated or 
deleted, users are returned to an updated mail list detail 
page. 

[0198] From the detail page, users can also delete 
35 multiple addresses at a time. Clicking on the "delete 
items on page" button 468 deletes all the addresses in 
the table. Clicking on "delete all matching items" 470 
deletes all items which matched the query, whether or 
not the addresses are visible on the current page: A 
40 warning message asking the user to confirm the action 
is displayed before the dedicated server actually deletes 
the addresses. Once the addresses are deleted, the 
detail page is immediately updated and presented to the 
user. 

45 [0199] Clicking on the add addresses button 452 in 
the mail list detail 444 displays the add addresses page. 
Fig. 29 is a view of an Add Addresses window 472 
according to the preferred embodiment of the invention. 
The name of the current mail list 474 is displayed at the 

so top. The name is also linked to the mail list detail page. 
[0200] The user can add additional addresses by 
manual entry 476, by uploading them from a file. The 
user can enter a file name 478, or use the browse but- 
ton 480 to search all files. Names may also be obtained 

55 from an existing mail list 482 and merged with the cur- 
rent mail list. The additional addresses are added 484 to 
the current address list or replace 486 the current list. 
After the names are submitted, the users are returned 
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secure document delivery stems from the challenge of 
encrypting a document 1312 with the public key 1332 of 
the intended recipient 1370. In particular, the intended 
recipient 1370 of a document may not have a digital cer- 
tificate 1345. In the absence of a digital certificate 1345 5 
of the recipient 1370 which is accessible by the sender 
1352, the sender 1352 of a document 1312 cannot 
encrypt the document 1312 with the recipient's public 
key 1332, and hence cannot be assured that the docu- 
ment 1312 can be protected from unsolicited access, w 
The sender driven certificate enrollment system 1342 
allows the sender 1352 of a document 1312 to initiate 
the process of dynamically generating a digital certifi- 
cate 1345 for the intended recipient 1370, thereby 
imposing minimum requirements for the intended recip- 75 
ient 1370. 

[0215] The sender driven certificate enrollment sys- 
tem 1342 transfers the burden of certificate generation 
from the recipient 1 370 of a given document 1 31 2 to the 
sender 1352. The sender driven certificate enrollment 20 
system 1 342 exploits the fact that, in the context of doc- 
ument delivery, often the sender 1352 of a document 
1312 has unique and specific information regarding the 
intended recipient 1370. Suppose, for example, an 
attorney sends a document to a client 1370. The attor- 25 
ney 1352 likely has a record associated with the client 
1370 which contains specific information, such as the 
client's e-mail address, physical address, telephone 
number. The client record may also contain confidential 
information, such as the client's social security number, 30 
drivers license number, or even credit information. 
[0216] Typically, it is this type of confidential informa- 
tion which is utilized to authenticate a given individual or 
entity 1370, and hence generate a digital certificate 
1345. Highly confidential and specific information yields 35 
a high level of authentication, and hence a secure digital 
certificate. 

[0217] Therefore, the sender driven enrollment sys- 
tem 1342 exploits the fact that the sender 1352 often 
knows significant and confidential information regarding 40 
an intended recipient 1370 of a document 1312. The 
use of this confidential information by the sender 1352 
to generate a digital certificate 1345 minimizes the bur- 
den imposed on the recipient 1370 to confirm their iden- 
tity. The digital certificate 1345 is then utilized by the 45 
sender 1352 to securely send the document 1312 to the 
intended recipient 1370. 

[0218] System Implementation. In the example above, 
a sender attorney 1352 wishes to send a confidential 
document to an intended recipient client 1 370. For a cli- 50 
ent 1370 that does not currently have a digital certificate 
1345 accessible to the attorney 1352, the attorney 1352 
can invoke the sender driven enrollment system 1 342 to 
generate a digital certificate 1345 for the client 1370. 
[0219] First, the sender driven enrollment system 55 
1342 checks or queries a database 1346 to determine if 
a digital certificate 1345 exists for the recipient client 
1370. If not, the sender driven enrollment system 1342 



conducts a database query to pull up a record for the cli- 
ent 1370, which typically includes client specific and 
confidential information. 

[0220] The sender driven certificate enrollment sys- 
tem 1342 then generates a certificate digest 1347, as 
shown in Fig. 36. This certificate digest 1347 contains 
most of the information necessary to generate a digital 
certificate 1345 for the client 1370. including the client 
specific data 1348, and the type of certificate to gener- 
ate 1349 (e.g. an X.509 certificate). In a preferred 
embodiment, the certificate digest 1347 is forwarded to 
a secure SDCE server 1358. The SDCE server 1358 
then "contacts" the client 1370 seeking independent 
confirmation of the confidential information 1348. For 
example, in a preferred embodiment of the invention, 
the SDCE server 1358 forwards an e-mail message to 
the client 1370 with a unique, dynamically generated 
URL (uniform resource locator). The client 1370 can 
then "click" or access this URL through a standard web 
browser. Accessing the URL begins a direct interaction, 
or SDCE conversation 1368, between the client 1370 
and the SDCE server 1358. 

[0221] The client 1370 is typically asked to input one 
or more pieces of confidential information 1348 to the 
SDCE server 1358. In a preferred embodiment, the con- 
versation takes place over a secure socket layer (SSL) 
channel between client 1370 and the SDCE server 
1358, and utilizes HTML forms. 
[0222] The SDCE server 1 358 then attest whether the 
client 1370 is correct, by comparing input information to 
the stored client information 1348 within the stored cer- 
tificate digest 1347. On a match, the SDCE server 1358 
forwards the certificate digest 1347 over a secure chan- 
nel to the recipient client's desktop 1372, and also dis- 
tributes software to the recipient client 1370, which uses 
the certificate digest 1347 to generate a key pair 1332, 
1340 on the recipient system. In the preferred embodi- 
ment of the invention, this software is simply a Java 
applet, transparently forwarded to the recipient 1370 
through the browser. The generated private key 1 332 is 
stored on the recipient system 1370, preferably using 
the PKCS12 format. The public key 1332 is forwarded 
back to the SDCE server 1358, which typically registers 
both the public and client information as the digital cer- 
tificate 1345 on a certificate server 1388, such as an 
LDAP or an Entrust certificate management server (of 
Entrust. Inc., Ottawa, Canada). 
[0223] The sender (e.g. the attorney) 1352, can now 
access the stored public key 1332 for the intended 
recipient client 1370, encrypt the document 1312 
intended for the recipient client 1370 with the public key 
1332, and then send the encrypted document 1336 to 
the client 1370. The client 1370. in turn, decrypts 1338 
the encrypted document 1336 with [the public key and] 
the corresponding private key 1340, which is now resi- 
dent on the private recipient system 1370. 
[0224] Fig. 37 shows the first stage 1 350 of the sender 
driven certificate enrollment system 1342. A sender 
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[0235] SDCE Server Software. The SDCE Server 
software, in a preferred embodiment of the invention, 
includes a HTTP Web Server with a customized filter to 
intercept and redirect all HTTP requests, a e-mail server 
to forward notifications on to an intended recipient 1370, 
and the basic software and logic to query a database 
server, to generate a certificate digest 1347 (as 
described above), and to interact with all other compo- 
nents of the system. 

[0236] The Web server is a primary interface between 
the SDCE server 1358 and the intended recipient 1370 
of a document 1312, in which the SDCE server 1358 
assists in the construction of a digital certificate 1345. 
[0237] In a preferred embodiment of the invention, the 
SDCE server software initiates an attestation conversa- 
tion 1366 (Fig. 38) with the intended recipient 1370, by 
dynamically generating a private URL The private URL 
contains a key to uniquely identify the recipient 1370, 
and then forwards this "key" to the recipient over a 
standard e-mail notification. When the recipient 1370 
accesses this "key" (which in fact is a private URL), the 
SDCE server 1358 associates the key with a given cer- 
tificate digest 1 347, and then through the Web interface, 
conducts the attestation conversation 1366, to verify 
that the given recipient 1370 matches the parameters of 
the certificate digest 1347. 

[0238] Recipient Client Software. The sender driven 
certificate enrollment system 1342 creates a public/pri- 
vate key pair from a certificate digest 1347, which is for- 
warded from the SDCE server 1358 to the recipient 
system 1370. Client software on ihe recipient computer 
takes the certificate digest 1347, constructs the pub- 
lic/private key pair 1332, 1340 on the recipient desktop 
1372, stores these keys 1332, 1340 on the recipient 
system 1370, and then forwards the public key 1332 to 
the SDCE server 1358. 

[0239] In a preferred embodiment, the recipient client 
software is a Java applet, which is transparently and 
dynamically downloaded via a web browser, in which 
the recipient simply accesses an URL, as described 
above. 

[0240] Certificate Server. The invention makes use of 
basic digital certificate management. The certificate 
server 1 388 includes query ability, which determines if a 
digital certificate exists for a recipient given a specific 
user profile (e.g. an e-mail address and identifier). The 
certificate server 1388 also includes update ability, 
which allows a programmatic interface to add a new cer- 
tificate to the server's database. In preferred embodi- 
ments, LDAP, X.500, or proprietary certificate servers 
such as a Entrust server can be used as certificate 
servers 1388. 

[0241 ] Database Server. In a preferred embodiment of 
the invention, the SDCE server 1358 queries a data- 
base 1346 containing recipient information to construct 
a certificate digest 1347. In a basic embodiment, the 
sender's desktop 1354 can query an internal database 
1346, or the sender's desktop 1354 can simply load 



information directly from the desktop 1354. The pre- 
ferred database query provided by a SDCE server 1358 
supports more scalability and extensibility. 
[0242] In addition to the basic design for the invention, 

5 there remains situations wherein no recipient data 1 348 
exists which is readily accessible from the senders sys- 
tem 1352, either directly from the desktop 1354 or via a 
database query. In this case, the sender driven enroll- 
ment system 1342 still retains value. While the certrfi- 

w cate digest 1347 contains limited information 1348, the 
level of attestation is also limited. However, basic attes- 
tation can still take place, and the system 1342 still sim- 
plifies the process of generating a basic digital 
certificate 1345 for the recipient 1370. In this case, the 

75 system behaves exactly as designed, with the exception 
being a more simplistic conversation 1366 and certifi- 
cate digest 1347. 

[0243] Fig. 41 is flow chart 1302 that describes the 
basic decision tree behind the sender driven certificate 

20 enrollment system 1342. 

[0244] At step 1 02, the sender 1 352 queries the cer- 
tificate server 1388 for the public key 1332 of an 
intended recipient 1370 for a document 1312. If the pub- 
lic key 1332 exists, the document 1312 is encrypted with 

25 the public key 1332, and is sent to the recipient 1370, at 
step 104. If the public key 1332 doesn't exist, the sender 
queries the SDCE Server 1358 for a certificate digest 
1347 for the intended recipient 1370, at step 1356. 
[0245] The SDCE server 1358 then queries the data- 

30 base 1346 for information 1348 regarding the intended 
recipient 1370, at siep 1360. If the information exists 
and is already stored in the database 1346, the SDCE 
server 1358 generates a rich certificate digest for the 
client 1370, at step 1365. If no information 1348 exists 

35 and is stored in the database 1346, the SDCE server 
1358 generates a simplified certificate digest 1347, at 
step 1364. 

[0246] At step 1368, the SDCE server 1358 initiates 
an attestation conversation 1366 with the recipient 

40 1370. If there is no match to the information 1348, the 
SDCE server 1358 notifies the sender 1352, at step 
106, and there is no generation of a key pair 1332, 
1340. If there is a match, a private/public key pair 1332, 
1340 for the recipient 1370 is generated on the recipient 

45 system 1370, at step 1380. The key pair is then for- 
warded to the SDCE server 1358, at step 1382. At step 
1388, the SDCE server registers the certificate for the 
intended recipient 1370 with a certificate server 1388. 
At step 1390, the SDCE server notifies' the sender 1352 

so of the digital certificate 1 345. The sender 1 352 can then 
encrypt the document 1312 with the generated public 
key 1332 of the intended recipient 1370, as shown in 
Fig. 3. When the encrypted document 1336 is sent to 
the recipient 1370, typically over a network 1344, the 

55 recipient 1370 can decrypt the encrypted document 
1336, using the stored private key 1340, as shown in 
Fig. 4. 

[0247] Although the sender driven certificate enroll- 
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an HTML interface on a computer desktop (12) for 
managing said dedicated server (22) via a Web 
browser. 

13. The apparatus of any of Claims 10 to 12, further 5 
comprising a send client application (20) for deliver- 
ing said at least one document (16) as a single 
package from said desktop (12) of a sending com- 
puter (14) over said electronic network (1 8) during a 
session. w 

14. The apparatus of Claim 13, said send client appli- 
cation (20) comprising: 

an application window (32, 1 40) for displaying a 15 
send client application interface said applica- 
tion window (32,140) comprising a tool bar (34) 
for accessing main functions of said send client 
application (20), a package manager for listing 
all document activities initiated during a send 20 
client application session, and a menu listing 
operational commands for said send client 
application; 

a package window (78,170) for specifying the 
parameters of said document delivery; and 25 
a storage module for configurably storing said 
document delivery parameters, wherein said 
document delivery is initiated using said stored 
document delivery parameters. 

30 

15. The apparatus of any of Claims 10 to 14, further 
comprising a security framework for restricting 
access to said apparatus (10) and/or said docu- 
ment (16). 

35 

16. A method for document management and delivery 
on an electronic network (18) comprising the steps 
of: 

delivering at least one document (16) as a sin- 40 
gle package from a sending computer (14) to a 
dedicated server (22,505) over an electronic 
network (18) during a session (500) using a 
send client application (20); 
storing said at least one document (16,515) 45 
from said sending computer (14) on said dedi- 
cated server (22,505); 

forwarding an electronic message to a receiv- 
ing device (24,26,28,530) from said dedicated 
server (22,505); and so 
downloading said at least one stored document 
(535) from said dedicated server (22,505) 
using a receive client application (30) on said 
receiving device (24,26,28,530), in response to 
the electronic message. 55 

17. The method of Claim 16, further comprising the 
step of: 



40 

said sending computer desktop (12) displaying 
an application window (32,140) with a send cli- 
ent application interface having a tool bar for 
accessing main functions of said send client 
application (20), a package manager for listing 
all document activities initiated during said ses- 
sion (500). and a menu listing operational com- 
mands for said send client application (20). 

18. The method of Claim 17, further comprising the 
step of: 

specifying the parameters of said document 
delivery in a packaging window (78,170). 

19. The method of Claim 18, comprising the step of: 

configurably storing, in a storage module, said 
specified document delivery parameters, 
wherein said document delivery is initiated 
using said stored document delivery parame- 
ters. 

20. The method of any of Claims 16 to 19, further com- 
prising the step of: 

providing a security framework for restricting 
access to said system, said security framework 
supporting at least one of authentication layers, 
secure socket layers, password protection, pri- 
vate key encryption, public key encryption, and 
certificate authentication. 

21. The method of any of Claims 16 to 20, further com- 
prising the step of: 

initiating said document delivery from the con- 
tents of an address book of a supported appli- 
cation on said sending computer (14). 

22. The method of any of Claims 16 to 21, comprising 
the step of: 

displaying a Configuration User Interface appli- 
cation window (140) for managing said dedi- 
cated server (22,505) on a computer desktop 
(12), said configuration user interface applica- 
tion window (140) having a main tool bar for 
accessing main functions of said configuration 
user interface, a secondary tool bar for access- 
ing functions within said main functions, a 
workspace for displaying an interactive inter- 
face to an accessed function, and a menu list- 
ing operational commands for said 
configuration user interface. 

23. An apparatus for generating a digital certificate 
(1345) for a recipient (1370) by a sender (1352), 



EP 0 907 120 A2 



21 



43 



EP 0 907 120 A2 



step of comparing said gathered information with 
said queried, stored recipient information (1348) is 
performed by a server (1358,1362,1388). 

41 . The method of any of Claims 34 to 40, further com- s 
prising the step of: 

generating a certificate digest (1347) compris- 
ing said stored recipient information (1348) and 
sender selectable options (1349) for said digital io 
certificate (1345). 
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